Expert Advice Community

Guest

Control diversification

  Quote
Guest
Guest user Created:   Oct 05, 2021 Last commented:   Oct 05, 2021

Control diversification

Hi, I'm a customer using your template package for ISO 27001.

Quick question for the experts:

I've read this thread in the community (https://community.advisera.com/topic/control-objectives-in-the-statement-of-applicability) but I'm still having some difficulties.

We're a very small organization with a scope of 3-4 persons. We've never had a security incident. I know that you've added the "Control objective" column to make it practically easier, but I start to wonder if we should completely remove the column. The only control objective I can think of is "We want to continue having 0 (zero) security incidents". And sure, I can put in "We want to have zero security incidents due to (insert e.g., lack of patching, poorly managed access rights etc.)

Currently, I've written the same thing in almost every control (formulated as a question though):
- Has any incidents occurred due to failed control with access rights?
- Has any incidents occurred due to the lack of security measures in the transfer of physical media?

I cannot figure out how to diversify it. Can I completely ignore the control objective column and then just go by "We want to keep having zero security incidents. If we register any - how many? And due to what?" and then look to the weakness.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 05, 2021

Indeed, for such small companies, this column is not practical, and it would be better for you to create a shortlist of objectives in the Information security policy or develop a separate document with them.

Besides decreasing incidents occurrence, you can also define some controls objectives like:

  • cost reduction of fines related to legal breaches (e.g., to controls A.18.1.4 Privacy and protection of personally identifiable information and A.18.1.5 Regulation of cryptographic controls)
  • increase in information systems uptime (e.g., to controls A.16.1.5 Response to information security incidents and A.17.1.2 Implementing information security continuity)
  • increase in process effectiveness/efficiency (e.g., to controls A.12.1.3 Capacity management and A.14.1.1 Information security requirements analysis and specification)

Regarding security incidents objectives, you do not need to define one for every clause. You can define a single objective for all the ISMS (e.g., at most 3 incidents for a year).

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 05, 2021

Oct 05, 2021

Suggested Topics